Aerogear Guides Tutorials to help get you off and running.

AeroGear Two-Factor Authentication with OTP

Introduction

If you happen to use online banking systems, certainly you will have come across small security devices that provide you with an extra password during your login process. That is, in addition to your standard username/password combination, you are asked to provide an extra password, the so called "One Time Password" (OTP)". That has two effects a) the bank can verify that you are the actual person making the transaction because of the possession of this device that only you can have, the so called possession factor in the two-factor authentication system and b) prevents replay attacks cause the password is only valid for a limited amount of time. This generation of the OTP password can either be done using a hardware device (hardware token) as we described earlier, or with the help of a mobile application running on a smartphone (software token).

In general, there are two approaches to OTP generation, either Mathematical-algorithm-based or Time-synchronized. The former, as the name suggests uses a complex mathematical algorithm, typically a cryptographic hash function in a hash chain mode, together with a secret key to generate the password. The latter, takes also into consideration the time, which causes the password to change constantly over a period of time e.g. once per minute, greatly enhancing security. On example of such approach is the Time Based One Time Password (TOTP).

So how OTP is related to the AeroGear project? Well recently, with the amazing work of my fellow developer abstractj, library implementations for both iOS and Android (and soon Javascript) of the OTP standard were introduced to the project. Currently they support only TOTP with SHA1 but work is in progress to add additional support for the other standard OTP algorithm, the event-based HOTP, together with more cryptographic hash functions support SHA-256/512.

So how do you use it?

First, a shared secret needs to be obtained that will be used for the calculation of TOTP. Here we use a static string for the purpose of the tutorial and in our demo we transfer it from the network. In practice, a QRCode encoded image of the secret should be used, so the secret should not travel across the network! In the future we will use encoded images for it.

In both cases variable "totp" now holds our token which can be send to the remote authentication server to validate.

Worth noticing is that the Java implementation has the verifier component also implemented, so if you back-end is Java, you can also use the implementation in your server-side back-end to verify totp tokens.

If you are an iOS developer, you can find the library already in the coccoapods. Further a demo application has been created that demos the library in action, so I suggest you have a look. You can find it here.

If you are an Android developer, you can find the library already in maven. Just include it in your project.

For more in-depth information about OTP and AeroGear, I suggest you to look at the official documentation page here. The page includes nice diagrams showing the flow of the authentication process and will help you to better understand the concept.